crypto/tls: properly return ECH retry configs

When ECH is rejected, properly take retry configs from the encrypted extensions message. Also fix the bogo shim to properly test for this behavior. We should properly map the full BoringSSL -> Go errors so that we don't run into a similar failure in the future, but this is left for a follow up CL. Fixes #70915 Change-Id: Icc1878ff6f87df059e7b83e0a431f50f1fea833c Reviewed-on: https://go-review.googlesource.com/c/go/+/638583 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Filippo Valsorda <filippo@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
2025-04-01 19:17:36 +03:00 · 2024-12-30 10:36:55 -08:00 · 2024-12-30 10:36:55 -08:00 · ade44c2ba6
commit ade44c2ba6
parent a43aca286c
3 changed files with 13 additions and 9 deletions
--- a/bogo_config.json
+++ b/bogo_config.json
@ -246,5 +246,8 @@
        25,
        29,
        4588
-    ]
+    ],
+    "ErrorMap": {
+        ":ECH_REJECTED:": "tls: server rejected ECH"
+    }
 }
--- a/handshake_client.go
+++ b/handshake_client.go
@ -260,6 +260,7 @@ type echClientContext struct {
 	kdfID           uint16
 	aeadID          uint16
 	echRejected     bool
+	retryConfigs    []byte
 }

 func (c *Conn) clientHandshake(ctx context.Context) (err error) {
--- a/handshake_client_tls13.go
+++ b/handshake_client_tls13.go
@ -85,7 +85,6 @@ func (hs *clientHandshakeStateTLS13) handshake() error {
 		}
 	}

-	var echRetryConfigList []byte
 	if hs.echContext != nil {
 		confTranscript := cloneHash(hs.echContext.innerTranscript, hs.suite.hash)
 		confTranscript.Write(hs.serverHello.original[:30])
@ -114,9 +113,6 @@ func (hs *clientHandshakeStateTLS13) handshake() error {
 			}
 		} else {
 			hs.echContext.echRejected = true
-			// If the server sent us retry configs, we'll return these to
-			// the user so they can update their Config.
-			echRetryConfigList = hs.serverHello.encryptedClientHello
 		}
 	}

@ -155,7 +151,7 @@ func (hs *clientHandshakeStateTLS13) handshake() error {

 	if hs.echContext != nil && hs.echContext.echRejected {
 		c.sendAlert(alertECHRequired)
-		return &ECHRejectionError{echRetryConfigList}
+		return &ECHRejectionError{hs.echContext.retryConfigs}
 	}

 	c.isHandshakeComplete.Store(true)
@ -601,9 +597,13 @@ func (hs *clientHandshakeStateTLS13) readServerParameters() error {
 			return errors.New("tls: server accepted 0-RTT with the wrong ALPN")
 		}
 	}
-	if hs.echContext != nil && !hs.echContext.echRejected && encryptedExtensions.echRetryConfigs != nil {
-		c.sendAlert(alertUnsupportedExtension)
-		return errors.New("tls: server sent encrypted client hello retry configs after accepting encrypted client hello")
+	if hs.echContext != nil {
+		if hs.echContext.echRejected {
+			hs.echContext.retryConfigs = encryptedExtensions.echRetryConfigs
+		} else if encryptedExtensions.echRetryConfigs != nil {
+			c.sendAlert(alertUnsupportedExtension)
+			return errors.New("tls: server sent encrypted client hello retry configs after accepting encrypted client hello")
+		}
 	}

 	return nil